I'm trying to set up a NAT that will allow me to reach devices behind a local LAN interface using a Virtual IP (IP Alias) or a non-WAN IP. The goal is to be able to reach devices behind this NAT using a VPN tunnel.
Say I have a /29 subnet on the LAN side of Site B and I want to to reach local-only devices through a Virtual IP that is part of the /29 through a NAT.
Site A OPNSense 172.0.0.1/29
Site A Virtual IP#1 172.0.0.3 -> Site A local device 10.0.0.1
Site A Virtual IP#2 172.0.0.2 -> Site A local device 192.168.1.1
I can't route the Site A local device IPs across the tunnel, I would like to reach them using an IP that is part of the /29 that is already routed across the tunnel. Getting to the local devices should be achieved by either adding a Virtual IP in the same subnet to the LAN interface, or using a separate interface that lives on the same local subnet as the device.
The problem I'm running into is that most NAT guides and documentation are for a NAT on the WAN interface. Looking at the NAT rules with pfctl when trying different iterations doesn't seem to be showing me the flow I'm expecting.
In the end I want to be able to reach 10.0.0.1 using 172.0.0.3, and 192.168.1.1 using 172.0.0.4 across the tunnel. I can reach the OPNsense 172.0.0.1 IP across the tunnel, no problem. I can ping the Virtual IPs, but getting the NAT working is what is failing me. I can get to the virtual IPs across the tunnel, but they are acting like extensions of the OPNsense LAN IP, ie, I can open the OPNSense Web GUI on both Virtual IPs, which is not desired.
Is what I want to achieve doable? It should be. I know I can do this on a Fortigate or a Cisco ASA, I just can't seem to translate this into OPNsense.
Do you mean NAT before IPsec?
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html#ipsec-binat-nat-before-ipsec
Mmm not exactly. What is the Security Policy Database (SPD) referred to on that link? It's also not 100% complete, it is missing the IP subnet in the LAN Site B diagram.
I'm using Wireguard in my case so there isn't' a Virtual Net A and Virtual Net B, both nodes are part of the same Tunnel /24, with a single address on each side.
What if there was no tunnel involved, how would you do a NAT between two LAN IPs? Say you want to access 192.168.1.1 using a different LAN IP of 172.0.0.3? Both subnets are connected behind the same interface. Or say the 192.168.1.1 device is connected to a different interface on the OPNSense firewall. Would be easiest if it can all be done in the same interface with an alternate IP (say a 192.168.1.253/29 Virtual IP in this case) assigned to the same interface so the firewall can reach the host at 192.168.1.1.
Hello , i'm having the same issue , did you find a solution to your problem ?